From 4a423b29d89041c030414e8e218a33702cffe697 Mon Sep 17 00:00:00 2001
From: Daniel Kolesa <daniel@octaforge.org>
Date: Tue, 31 Jan 2023 00:55:50 +0100
Subject: [PATCH] clean up login.defs defaults

---
 etc/login.defs | 130 ++++---------------------------------------------
 1 file changed, 10 insertions(+), 120 deletions(-)

diff --git a/etc/login.defs b/etc/login.defs
index 114dbcd..70643ee 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -4,13 +4,6 @@
 #	$Id$
 #
 
-#
-# Delay in seconds before being allowed another attempt after a login failure
-# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
-#       pam_unix(8) enforces a 2s delay)
-#
-FAIL_DELAY		3
-
 #
 # Enable logging and display of /var/log/faillog login(1) failure info.
 #
@@ -26,43 +19,6 @@ LOG_UNKFAIL_ENAB	no
 #
 LOG_OK_LOGINS		no
 
-#
-# Enable logging and display of /var/log/lastlog login(1) time info.
-#
-LASTLOG_ENAB		yes
-
-#
-# Limit the highest user ID number for which the lastlog entries should
-# be updated.
-#
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
-# lastlog entries.
-#
-#LASTLOG_UID_MAX
-
-#
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
-# ("mailx -e" or equivalent).
-#
-MAIL_CHECK_ENAB		yes
-
-#
-# Enable additional checks upon password changes.
-#
-OBSCURE_CHECKS_ENAB	yes
-
-#
-# Enable checking of time restrictions specified in /etc/porttime.
-#
-PORTTIME_CHECKS_ENAB	yes
-
-#
-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
-#
-QUOTAS_ENAB		yes
-
 #
 # Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
 # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
@@ -83,18 +39,6 @@ CONSOLE		/etc/securetty
 #
 #SULOG_FILE	/var/log/sulog
 
-#
-# If defined, ":" delimited list of "message of the day" files to
-# be displayed upon login.
-#
-MOTD_FILE	/etc/motd
-#MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
-
-#
-# If defined, this file will be output before each login(1) prompt.
-#
-#ISSUE_FILE	/etc/issue
-
 #
 # If defined, file which maps tty line to TERM environment parameter.
 # Each line of the file is in a format similar to "vt100  tty01".
@@ -107,13 +51,6 @@ MOTD_FILE	/etc/motd
 #
 FTMP_FILE	/var/log/btmp
 
-#
-# If defined, name of file whose presence will inhibit non-root
-# logins.  The content of this file should be a message indicating
-# why logins are inhibited.
-#
-NOLOGINS_FILE	/etc/nologin
-
 #
 # If defined, the command name to display when running "su -".  For
 # example, if this is defined as "su" then ps(1) will display the
@@ -127,7 +64,7 @@ SU_NAME		su
 #   Directory where mailboxes reside, _or_ name of file, relative to the
 #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
 #
-MAIL_DIR	/var/spool/mail
+MAIL_DIR	/var/mail
 #MAIL_FILE	.mail
 
 #
@@ -139,27 +76,12 @@ MAIL_DIR	/var/spool/mail
 HUSHLOGIN_FILE	.hushlogin
 #HUSHLOGIN_FILE	/etc/hushlogins
 
-#
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
-#ENV_TZ		TZ=CST6CDT
-#ENV_TZ		/etc/tzname
-
-#
-# If defined, an HZ environment parameter spec.
-#
-# for Linux/x86
-ENV_HZ		HZ=100
-# For Linux/Alpha...
-#ENV_HZ		HZ=1024
-
 #
 # *REQUIRED*  The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH	PATH=/bin:/usr/bin
+ENV_SUPATH	PATH=/usr/local/bin:/usr/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin
 
 #
 # Terminal permissions
@@ -180,17 +102,13 @@ TTYPERM		0600
 #
 #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
 #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
-#	ULIMIT		Default "ulimit" value.
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
 #
 # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
 #
 ERASECHAR	0177
 KILLCHAR	025
-#ULIMIT		2097152
 
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -204,7 +122,7 @@ UMASK		022
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
 # If HOME_MODE is not set, the value of UMASK is used to create the mode.
-#HOME_MODE	0700
+HOME_MODE	0700
 
 #
 # Password aging controls:
@@ -216,7 +134,7 @@ UMASK		022
 #
 PASS_MAX_DAYS	99999
 PASS_MIN_DAYS	0
-PASS_MIN_LEN	5
+PASS_MIN_LEN	0
 PASS_WARN_AGE	7
 
 #
@@ -238,7 +156,7 @@ CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
 UID_MIN			 1000
 UID_MAX			60000
 # System accounts
-SYS_UID_MIN		  101
+SYS_UID_MIN		  100
 SYS_UID_MAX		  999
 # Extra per user uids
 SUB_UID_MIN		   100000
@@ -251,7 +169,7 @@ SUB_UID_COUNT		    65536
 GID_MIN			 1000
 GID_MAX			60000
 # System accounts
-SYS_GID_MIN		  101
+SYS_GID_MIN		  100
 SYS_GID_MAX		  999
 # Extra per user group ids
 SUB_GID_MIN		   100000
@@ -268,16 +186,6 @@ LOGIN_RETRIES		5
 #
 LOGIN_TIMEOUT		60
 
-#
-# Maximum number of attempts to change password if rejected (too easy)
-#
-PASS_CHANGE_TRIES	5
-
-#
-# Warn about weak passwords (but still allow them) if you are root.
-#
-PASS_ALWAYS_WARN	yes
-
 #
 # Number of significant characters in the password for crypt().
 # Default is 8, don't change unless your crypt() is better.
@@ -285,11 +193,6 @@ PASS_ALWAYS_WARN	yes
 #
 #PASS_MAX_LEN		8
 
-#
-# Require password before chfn(1)/chsh(1) can make any changes.
-#
-CHFN_AUTH		yes
-
 #
 # Which fields may be changed by regular users using chfn(1) - use
 # any combination of letters "frwh" (full name, room number, work
@@ -298,13 +201,6 @@ CHFN_AUTH		yes
 #
 CHFN_RESTRICT		rwh
 
-#
-# Password prompt (%s will be replaced by user name).
-#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING		"%s's Password: "
-
 #
 # Only works if compiled with MD5_CRYPT defined:
 # If set to "yes", new passwords will be encrypted using the MD5-based
@@ -334,7 +230,7 @@ CHFN_RESTRICT		rwh
 # Note: If you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
-#ENCRYPT_METHOD DES
+#ENCRYPT_METHOD SHA512
 
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -406,18 +302,12 @@ DEFAULT_HOME	yes
 #
 NONEXISTENT	/nonexistent
 
-#
-# If this file exists and is readable, login environment will be
-# read from it.  Every line should be in the form name=value.
-#
-ENVIRON_FILE	/etc/environment
-
 #
 # If defined, this command is run when removing a user.
 # It should remove any at/cron/print jobs etc. owned by
 # the user to be removed (passed as the first argument).
 #
-#USERDEL_CMD	/usr/sbin/userdel_local
+#USERDEL_CMD	/usr/bin/userdel_local
 
 #
 # Enable setting of the umask group bits to be the same as owner bits
@@ -445,7 +335,7 @@ USERGROUPS_ENAB yes
 # This option is overridden with the -M or -m flags on the useradd(8)
 # command-line.
 #
-#CREATE_HOME     yes
+CREATE_HOME     yes
 
 #
 # Force use shadow, even if shadow passwd & shadow group files are
-- 
2.39.0

